PIX-to-PIX: How to redirect incoming traffic over VPN

Greetings security professionals.

I have two locations, A and B.
There is a PIX515E (OS 7.1) at each location.
They are linked by a working VPN tunnel.
A's inside address space is 192.168.1.0/24
B's inside address space is 10.0.32.0/24

A has a /24 external (globally routable) address space.
I want to be able to take one of those external addresses on the A-side PIX515E and NAT/"redirect" it over the VPN tunnel to one of B's inside addresses.

For example: 199.120.223.130 -> 10.0.32.251

199.120.223.130 is an external address on A-side.
10.0.32.251 is an inside address on B-side.

I've tried various attempts over the last two days without success. Is this even possible? Any help greatly appreciated.
My current working config is pasted below (routable addresses obscured).

corey





: Saved
:
PIX Version 7.1(2)
!
hostname pix
domain-name corey.com
enable password * encrypted
names
!
interface Ethernet0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 198.145.250.2 255.255.255.252
!
interface Ethernet1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet2
 shutdown
 no nameif    
 no security-level
 no ip address
!
passwd * encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name corey.com
same-security-traffic permit intra-interface
access-list 101 extended permit ip any any
access-list 101 extended permit icmp any any
access-list 106 extended permit ip 192.168.1.0 255.255.255.0 10.0.32.0 255.255.255.0
access-list 107 extended permit ip any 10.0.32.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 107
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 199.120.223.129 192.168.1.5 netmask 255.255.255.255
static (inside,outside) 199.120.223.130 10.0.32.251 netmask 255.255.255.255
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 198.145.250.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.7 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map map1 10 match address 106
crypto map map1 10 set peer 79.64.25.118
crypto map map1 10 set transform-set myset
crypto map map1 interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group 79.64.25.118 type ipsec-l2l
tunnel-group 79.64.25.118 general-attributes
tunnel-group 79.64.25.118 ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh timeout 60
console timeout 0
Cryptochecksum:1575c605c799d09351813140d875e3c5
: end
lodcommAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rsivanandanCommented:
I'm not sure if this is even do-able but I've not worked on 7.0 yet. But just curious, why do you want to do it ? I mean on the other side (B Side) pix, don't you have a public address and redirect it there through a static statement ?

I mean or else you could even do a port redirection, in case if you don't have a static sparable address at B side.

Cheers,
Rajesh
0
lodcommAuthor Commented:

The reason I want to do this is simple. I need to temporarily redirect all IP traffic from one physical location to another, and it cannot be done with DNS changes.

0
lrmooreCommented:
Corey,
I'm afraid that this is not even possible with PIX. Not even with 7.x
Absolutely impossible with 6.x for sure

You want to nat a public IP on site A to a private IP on site B, over the VPN tunnel.

Just as an aside, acl 107 should not reference "any"
>access-list 107 extended permit ip any 10.0.32.0 255.255.255.0

It can only be from inside to remote:
>access-list 107 extended permit ip 192.168.1.0 255.255.255.0 10.0.32.0 255.255.255.0

And therin lies the primary issue.
With a pix, you can't take a source address from "any" public IP, static NAT to a private IP that is accessible only via a direct VPN tunnel to another location. It just can't happen....
The default gateway on the remote site must be its own local PIX, and that PIX has a default gateway for "any" to its local ISP, not across the VPN tunnel to respond directly out the "other" PIX..

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cyclops3590Commented:
lrmoore, are you sure about not with 7.x
In 7.x they allow for intra-interface traffic.  I haven't tried it on 7.x, but will for the hell of it to check.  6.x won't though.  However, wouldn't a downfall of the needed configuration(since you are trying to use "any") be that all traffic from either the B network or that host on B have to be routed through the VPN to the A network and then out?

Until 7.x, traffic in PIXs were not allowed to travel between interfaces of the same security level (which of course included going in and out the same interface).  However, I have to agree with lrmoore on this one, its either not feasible or possible.

What I would try is do a static to a host on A, then have that host do a translation to the host on B and forward that packet on so that the host on B thinks the request came from the host on A.  How you'd do that could be difficult depending upon the A host you use.  This way the site-to-site VPN config doesn't need any changing and everything should route fine, provided the A host is properly configured to mangle the IP packet to source nat the packet to itself.

Or am I just wishful thinking that this would work?
0
lodcommAuthor Commented:
lrmoore, Cyclops3590  --

Thanks for your comments.

corey
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.